Can chip and PIN be fixed?
A new chip and PIN vulnerability has the industry shrugging its shoulders, and consumer groups up in arms, but the bigger question is this: can it be fixed?The Cambridge University research team cracked the apparently impregnable four-digit PIN...
The Cambridge University research team cracked the apparently impregnable four-digit PIN verification system used in the UK and Europe using the relatively simple technique of reverse engineering how a shop till reader verifies that a PIN entered by a customer is the right one, and what part the physical card plays in this process. In essence they have found a weakness in the protocol between the card and terminal.
What if a bogus reader, carried in a backpack say, could be wired to the credit card to tell the shop reader that a random PIN (any PIN with four digits), was correct? It turns out this is possible because the shop reader does not verify where the ‘verified by PIN’ handshake is coming from, and the card does not appear to care that the correct PIN sitting in its memory was not entered as long as the terminal is happy.
What this all means, sparing nobody.
Chip and PIN is a 20 year old technology and was designed for a world where card usage rates were a fraction of what they are today, where local verification point-of-sale was the exception rather than the norm, and where people didn’t mind queuing to wait for slow tills. Arguably, the design disqualifies it as a true two-factor authentication system because it authenticates itself.
That said, chip and PIN is here to stay. Just look at point-of-sale fraud rates the US and compare to the UK if you believe that asking for a PIN number is an inherently flawed concept. Chip and PIN might look a bit silly, but it works well enough to make a return to the world of signatures still used in some countries a non-starter.
It will be patched up. It’s not easy to see how this can be done without updating the firmware in every terminal in the UK, and without having all the details to hand (and not being a chip and PIN engineer) that might require an update to the routines run from the chip inside every plastic card. My understanding is that this can be done when cards are inserted in terminals but will still be a pretty big undertaking requiring time and unfashionable amounts of money.
Another option might be to check every PIN used for transactions above a given threshold against a central database (as opposed to accepting a local verification as in the Cambridge flaw) in the way that was once standard procedure.
The ‘PIN verified’ line on every till receipt is not worth the paper it’s printed on because we now have small but real cause for doubt. Chip and PIN’s real flaw is that there is no accessible audit trail for a customer to prove that a transaction was or was not genuine. This means, in effect that there is also no way for the industry to spot such hacks when they happen. The industry is as blind as the customers having their money stolen.
Staggeringly, nobody in the industry really wants to talk about whether this hack is fullproof, how it might be fixed, or even whether there is any way of working out if it’s already happened. The whole area is cloaked in secrecy. I can’t even get a straight answer as to whose job it is to fix. Does anyone know and can they fix it in under 20 committee meetings?
Whether they want to talk about it or not, to survive as a useful barrier chip and PIN must find a way of defending itself from attacks in a shorter timescale. Years and months is not fast enough. This kind of issue must be patched in days or weeks ideally. I see no sign that they grasp this yet.